Spy vs. Spy

Companies are spending billions on network security, but staying ahead of hackers may be a pipe dream.
Esther Shein, CFO MagazineFebruary 1, 2004

Any way you look at it, 2003 was a real bad year for network security. Although corporate concern over cyber threats jumped dramatically, so too did the number of cyber attacks against companies and their machines. Indeed, security specialist MessageLabs reports that spam accounted for 50 percent of all business E-mail traffic in the United States in May, the first time that junk E-mail outstripped the number of legitimate electronic messages sent to corporations.

And if much spam is relatively harmless, some is decidedly not. Digital pathogens such as SoBig, Mimail, and Yaha, which can infect employee computers and servers alike, all spread via E-mail. MessageLabs reckons that two-thirds of all spam is now being sent by open proxies—created in part by computers and other gadgets infected by viruses.

Fending off this red tide of malicious code won't be easy. While research firm Meta Group Inc. reports that security made up 8.2 percent of corporate IT budgets last year (up from 3.2 percent in 2001), hackers are constantly looking for new ways to flank corporate defenses. Swen, a virus hidden in an E-mail, actually purports to be a security fix from Microsoft for MS Outlook and MS Outlook Express. The message window launched by the virus looks authentic, right down to the Microsoft logo and copyright.

"'Malware' is getting more prevalent, more effective, and nastier," notes Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., a managed security services company. "Hackers are getting better at what they do."

They're also getting better at making money off what they do. Experts say banks and other financial-services providers appear particularly vulnerable to hackers' schemes. One variant of the Mimail worm, for example, targets customers of online payment system PayPal. The virus, which comes as an E-mail warning the receiver that an account is about to expire, actually takes the user to a bogus PayPal verification window. Once there, he or she is asked to enter credit-card numbers and other personal information. "Before, you wouldn't make money off [malicious code]," says MessageLabs president Jos White. "But now there are blended threats between spam and viruses, and [hackers] can find out financial information."

Further compounding the problem: companies are gravitating toward a handful of core applications, usually accessed via the very-public Internet. The combination is a hacker's delight. "Eighty to 90 percent of the world is all using the same software," explains White. "If someone finds a way to compromise that software in any way, everyone gets affected."

10,000 Sheets to the WindNot exactly a thrilling prospect for companies that must resign themselves to a world filled with worms, evil code, and black-hat hackers. Certainly, the odds of warding off attacks are remote. According to a Yankee Group survey of 404 businesses, 83 percent of the respondents said their companies had been hit by viruses or worms last year.

Still, experts say corporate executives are not entirely helpless in the face of the onslaught. One ray of hope: makers of software are getting much more aggressive in combating code writers who target their programs. In November, Microsoft offered a $250,000 reward to anyone who could lead it to the authors of the SoBig and Blaster viruses, which exploit vulnerabilities in the company's software.

Others say an overlapping approach to network protection can limit the damage from viruses. Lance Travis, vice president of research for AMR Research, in Boston, believes adequate security requires a combination of technologies, including firewalls, intrusion detection, intrusion prevention, and vulnerability testing. It also includes a little forethought. "[It's important] to have a well-thought-out security policy that defines how you will secure things," says Travis. He advocates deploying best-of-breed commercial products. "Don't put all your eggs in one security basket," he warns.

Surprisingly, many businesses fail to make full use of the security systems they already have in place. Typically, security programs provide audit information that can identify any problems a corporate network is experiencing, as well as specific times a network may have come under attack.

But Travis says a fair number of companies don't review this information systematically. The hang-up? Data overload. "A lot of these tools, such as intrusion detection, will generate a lot of information that is extraneous," he notes. "So you don't get a single sheet of information but 10,000 sheets, and you have to figure out the top 20 problems."

Gone PhishingHiring an outsourcer to monitor the status reports should solve the problem. Even then, observers say, businesses should carry insurance as a backstop to software. A number of carriers have bundled network-security features with their property coverage. Dave Prosser, a senior product consultant at The Hartford Financial Services Group Inc., says that company's Property Choice policy offers financial protection for files destroyed by network viruses.

The policy also includes business-interruption coverage. While Prosser says insurance provides some peace of mind, he adds that there's a pressing need to educate companies on security basics, such as backing up data on a regular basis. Asserts Prosser: "We need to spend more time providing materials and information to our customers on how to better protect themselves."

That's a tall task, more so as virus writers add new tools to their arsenal. MessageLabs's White believes that combining spam with viruses—as with the PayPal scam—will be a popular tactic in 2004. Hackers have already given a name to the subterfuge, dubbing the mass distribution of "spoofed" E-mail messages with return links that appear to come from reputable businesses "phishing."

With consumers and employees becoming more dependent on E-mail—and with a greater percentage of E-mail being compromised—phishing could become a royal pain to corporate managers. In truth, Counterpane's Schneier does not foresee an end to cyber spying and hacking. "I see no reversing of the trend anytime soon," he says. "It will take major changes in the way our society deals with computers and software. And I'm not sure society is ready to make those changes yet."

Viruses, Trojans, and Worms, Oh My

Top 10 viruses of 2003.

Name

Number of virus interceptions

Description

SoBig.F

32,432,730

"Re: Your Wicked Screensaver," just one of the spoofed subject lines that identify this worm.

Swen.A

4,184,129

One strain masquerades as a Microsoft security update, replete with Microsoft logo.

Klez.H

4,006,766

Comes disguised as a free immunity tool for—what else?—the Klez worm.

Yaha.E

1,920,424

One version offers screensaver; once installed, worm repeatedly tries to contact a website in Pakistan.

Dumaru.A

1,129,061

Another bogus Microsoft security patch, this one E-mails itself to addresses stored on victim's computer.

Mimail.A

1,052,481

A later variant of virus scams credit-card numbers off unsuspecting PayPal customers.